Monitoring Strategy 2.0 Building a Security SEC 1391
Transcript of Monitoring Strategy 2.0 Building a Security SEC 1391
Paul D’Avilar | Paul PelletierSecurity Consultants – Professional Services
SEC 1391 Building a Security Monitoring Strategy 2.0
.conf19 SPEAKERS: Please use this slide as your title slide.Add your headshot to the circle below by clicking the icon in the center.
© 2019 SPLUNK INC.
During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved.
Forward-Looking Statements
THIS SLIDE IS REQUIRED, DO NOT DELETE
© 2019 SPLUNK INC.
Paul and Paul
“People ask us all the time, ‘What keeps you up at night?’ And we say,
‘Spicy Mexican food, tweets that affects our stock portfolios, and low
cyber (attacks) preparedness.”
© 2019 SPLUNK INC.
Staff Security Consultant | Splunk
Paul D’AvilarSr. Security Consultant | Splunk
Paul Pelletier
Use this if there will be two speakers for your session.
© 2019 SPLUNK INC.
▶ Paul Pelletier• 18 year infosec veteran with lots of
Alphabet soup behind my name
• Used to own my own MSSP
• Worked everywhere from a hometown bank to an underground utility locating company to some of the largest consulting companies in the world
• Securing ICS and Critical infrastructure is one of my passions
• Favorite Quote: I hope for nothing. I fear nothing. I am free. – Nikos Kazantakis
▶ Paul D’Avilar• 15 year infosec veteran with a primary
focus on PubSec
• Risk-centric and solution oriented – learning to work starter, not harder
• Reformed Google fanboy
• Deloitte Alum
• World traveler, tinker, home automation, IoT
• Favorite Quote: The best way to predict the future is to create it – Nephew’s HS Graduation Wristband (credited: Abraham Lincoln and Peter Drucker)
A Little About UsWe’re both Splunkers for starters ☺
© 2019 SPLUNK INC.
▶ Why is Continuous Security Monitoring (CSM) important• I think we talked about this last year, but in case you missed it, here’s a quick recap
▶ What have we learned▶ Patterns and Principles for an effective CSM program
• Core components
• Core Data sources and why
• Essential use cases
• Machine Learning and Artificial Intelligence vs. heuristic or static based
• Measuring your maturity
• How to progress up the maturity curve and stop your adversaries sooner
▶ Key Takeaways
AgendaIf all goes well, we will cover
© 2019 SPLUNK INC.
What’s The Point Of Security Monitoring (Again)Supports the creation and sustainability of value
A platform based approach is needed to achieve the objectives for security monitoring
Identify & protect assets (crown jewels)
Security Ops / Incident ResponseAlert and investigate processes
Cyber HygieneCompliance
Visibility Alignment
Informs the decision to take action(Tell me what I need to act on)
Risks/ Security posture(What are my vulnerabilities)
© 2019 SPLUNK INC.
How To Make It Tangible (With A Framework)Layout a roadmap for operationalizing capabilities to achieve objectives based on
existing constraints
Objectives Constrains Capabilities
� Operational Requirements
� Resiliency� Laws and
Regulations� Budget
� Technologies� Processes/
Procedures� People and
skillsets
� What matters most
� What is achievablein a defined timeframe
� What support is needed
© 2019 SPLUNK INC.
Considering Data Sources And SilosSo much noise, focus is essential
Network Security
Governance Risk & Compliance
Responsive Security
Management
Identity & Access Management
Threat & Vulnerability Management
Information & Data Privacy
Supplier Management
IR & Crisis Management
Disaster Recovery & BCM
Legal & Electronic Discovery
Training & Awareness
Endpoint Security
Physical and Data Center Security
Information & Data Protection
Secure Application Development
Security Monitoring Services
Penetration Testing
Vulnerability Scanning
Data Classification
Scheme
Vendor Risk Assessment
Contract Management
SSO and Multi-Factor
IDM Automation
Entitlement Management
Security Policies
Security Standards
Control Objectives
Secure SDLC
Security Testing
Encryption, Masking,
and Obfuscation
Data Leakage
Protection
Access Management
Risk Management
Risk and Control Library
Control Effectiveness
Anti-Malware and HIPS
APT Detection MDM
Firewall IDP NAC
Directory Services PAM/PIM
Key Management
AssetInventory
Red Teaming
Internet Reconnaissance
Offensive Security
Secure VDE / VDI
BCP
Data Activity Monitoring
AssetClassification
WAF
Configuration Management
Patch Management
DDOS Protection Wireless
Secure Web Gateway
Network Anti-Virus
SPAM and Phishing Filter Network DLP AAA
Entitlement Management
Secure VPN
Network Segmentation
© 2019 SPLUNK INC.
▶ Hopefully you’ve picked a framework around which you can drive consistency and measure your growth/maturity• Like NIST SP 800-137
• Risk Management Framework
▶ Know Thyself • Cyber Security Bible v 1:1
• Know your people, know your critical assets and crown jewels, data categorization is key!!!
• What are your drivers? Business needs Compliance Regulatory
• Turn data into actions
▶ Drive successful business outcomes▶ Have a tested Incident Response plan in place (make this recurring…)
So You’ve Decided To Implement A CSMWhat’s the next steps?
© 2019 SPLUNK INC.
Wait!, Wait!Midcourse AdjustmentsLessons learned after a year of engaging with customers and practitioners on the topic
© 2019 SPLUNK INC.
Pitfalls And False StartsObservations from the field on the adoption of key tenets from our presentation and
our responses
Paralysis in getting started – stagnation
Light on substance, strategy and adoption
Lack of proper resourcing – empowerment of users
Under utilization of OOTB capabilities
Executive SponsorshipInvolvement of key stakeholders that will champion the cause
Data Onboarding StrategyGuides users through the getting data into the platform and making it useful process: CIM | Validation | Use Cases
Alerting and DetectionStrategyEvent management and incident response framework
ScalabilityPlan for the security monitoring infrastructure to support the demands, being agile/ nimble, shorten time-to-value
Adoption of Technology TrendsAlignment and adoption to technology trends to enable the collection, use, and incorporation of new approach such as containerization, micro-services, hyper-convergence, etc.
User EnablementEnable users through formal and informal training, they will provide your biggest return on invested $$$
Interconnected Security StackIntegrate your team, processes, and tools together including automation and orchestration where it make sense to decrease the time to make a decision and act
Analysts FocusedEmpower a collaborative SOC…
Smart StoreScale up/down memory and data storage independently to save money and maintain search performance.
Workload ManagementPrioritize allocation of compute and memory resources.
AI & ML-powered AnalyticsAugment human skills …
© 2019 SPLUNK INC.
Function Recommended Actions OOTB
Data Onboarding Make the progress visible (business leaders | ISSOs | Risk Officers) – build apps
Guided Data Onboarding (14+) | Center of Excellence | Security Essentials
Build Quick start guide (TLDR version) Center of Excellence
Develop approve architectures/models based on alignment to vetted principles and patterns
Splunk Validated Architectures good examples
Alert and Detection Strategy
Develop a strategy/plan for deciding importance, increasing fidelity, etc…
Splunk ES Frameworks (e.g. Risk, Threat) | SecKit | Security Essentials | ESCU
Incident Management Workflow
Understand your incident management workflow, it is never too early to build workbooks/runbooks (technology agnostics)
Mission Control | Splunk Phantom
Technology Strategy for Security
Align security infrastructure with organizational strategies and ownership, leverage hybrid models (no snowflakes)
Splunk Cloud | Data Stream Processor | SmartStore
Productive managementStay on top of your deployment and growth, productively engagement with your customers, build admin app
Monitoring Console
Our 2Cents And MoreA collection of our recommendations for moving security monitoring forward and up
the maturity curve
© 2019 SPLUNK INC.
So What Is Security Monitoring Again?So lets do something already, strive to gain visibility as well as resiliency
© 2019 SPLUNK INC.
▶ Cyber• NIST Cyber Security Framework (CSF)
• One of the most widely adopted methodologies around (it’s not just for the US Government, it’s good for everyone)
• Australian Cyber Security HHS
• CIS Top 20 Critical Controls
• ISO 27001/2
• ISA62443
▶ Compliance• PCI-DSS
• HIPAA
• GLBA
• SOX
▶ Align business objectives with strategic security goals
Pick A Security Monitoring FrameworkLots of different approaches
✓
© 2019 SPLUNK INC.
UF everywhere possible ▶ Splunk your all endpoints!!!
(YES – those laptops and mobile devices)
▶ Windows baseline
• System and Security
▶ *nix baseline
• /var/log
• /var/log/audit.log
▶ Insightful
• PowerShell/CLI
• Sysmon
Define Your Data Collection StrategyDefine your approach for collecting event data across the enterprise
Log aggregation when needed▶ Syslog▶ Streaming/ Realtime data
sources – Kafka▶ …
Cloud Environments▶ PaaS
• AWS
• Azure
• ...
▶ SaaS• O365
• SFDC
• Akamai
• Security tools
• …
▶ Private and hybrid ones too
Third Parties▶ Partners and collaborators▶ Technology providers/
vendors providing services▶ ….
Containers▶ Docker▶ Kubernetes▶ ….
✓
© 2019 SPLUNK INC.
ES Req’d Data Sources• Network/Host IDS
• DNS
• Antivirus
• Web Proxy
• Firewall
• Vulnerability Scanning
• Active Directory
• VPN
• ***Assets and Identities is KEY***
Onboard Necessary Data SourcesThis is what we recommend to get started
Ideal• Sysmon
• CLI and Powershell logging
• UF’s on all Endpoints
• Full NGE data
• Full enrichment in ES
✓
© 2019 SPLUNK INC.
Adopt an Alerting and Detection StrategyDefine your approach for detection and response to known/unknown threats
Risk based approach
Sufficient coverage &
visibility of the tactics and techniques
Ability to disrupt and contain the
risk (threat/advers
ary) sooner
Be transparent – create awareness through reports and metrics | Visibility
✓
© 2019 SPLUNK INC.
• Diamond Model for Intrusion Analysis• Mitre Att&ck• CIS• Palantir
Various Alerting and
Detection Strategies
Strengthen defenses by integrating existing security infrastructure together so that each part is an active participant SecurityIT Business Users DevelopersIoT
On-Premises Cloud
✓
© 2019 SPLUNK INC.
▶ Alert fatigue anyone….▶ Threat Intel
• Create attributions for matches
• Dynamic score based on feed, asset/identity, or other context
▶ IDS/AV• Map the IDS vendor categories into ATT&CK / Kill
chain phases
• Dynamic score based on category, asset/identity, or other context
▶ Behavioral Anomaly attributions (SSE and ESCU)
▶ Outlier attributions – leveraging ML ▶ 3rd party Integrations to include their risk
attributions, like WHOIS
Considerations For Risk Based AlertingA new’ish concept with a twist
✓
© 2019 SPLUNK INC.
Indicator Search Risk Score and Attribution
Risk Index Risk Dr
A Risk Driven Approach To AlertingMindset Shift: Cast a Wide Net
ri
Risk Rule Risk Incident Rule
Not every alert (detection) should be a notable
✓
© 2019 SPLUNK INC.
Aim To Disrupt And ContainEnsure you can respond faster and reduce dwell times
AUTOMATION AND ORCHESTRATION
INTERCONNECTED SECURITY STACK
MACHINE LEARNING TO AUGMENT HUMAN SKILLS
ADAPTIVE RESPONSE
▶ CIS Top 20 (really, accomplishing the top 4 is a big deal)
▶ ASD Essential 8▶ Lockheed Martin
Kill Chain▶ …
✓
© 2019 SPLUNK INC.
Baselining / historical� Collects data,
creates model, evaluate against the model
� Creates a baseline of what is ”normal” and then measures any changes against that model
Utilizes very sophisticated algorithms, but is not easily customized with custom use cases/queries
Lateral Movement� Splunk uses 45+
Anomaly classifications based off existing logs that UBA puts into various threat models
� Via unsupervised ML these use cases are created based off the available data
� Detects anomalous changes that are indicative of lateral movement
Data Exfiltration� Again utilizing
unsupervised ML we can detect changes in endpoint behavior and definitively output the results to the user as anomalies that indicate data exfil
� Anomalies are not necessarily false positives, they are changes in the behavior that have not been seen before
Machine Learning / Artificial IntelligenceUse Case Methods
© 2019 SPLUNK INC.
Human based▶ Require extensive
tuning▶ Can generate more
false positives▶ Allows for highly/easily
customized rules▶ Logic is entirely up to
youThese types of queries are generally not “intelligent” like ML or AI, the logic is entirely up to us. It’s not generated on the fly.
Mimikatz� This is a point
detection that looks for specific terms, powershell executions and event IDs
� Still very effective� Generates few
false positivesPoint detections like this are great at finding very specific events
Brute Force� A little harder to
solve because we want to successive failures followed by a singular success
� Requires extensive tuning
� Requires effective logic to tune down the noise and give actual brute force detections.
Heuristic And StaticUse Case Methods
© 2019 SPLUNK INC.
▶ Be strategic• Don’t pick a use case just to
have a use case
▶ Pick only use cases that are high value and high fidelity
▶ If you can’t action the use case you probably don’t need it• What does the alert tell the
analyst
▶ Event sequencing is awesome, use it!
Shhhh, Keep Down The NoiseSelection is key
Expansive Data Access, Enable any user from anywhere, Architected for the hybrid world
Smart Assistants, Data Imputation, Python for Scientific Computing
Machine Learning Toolkit
© 2019 SPLUNK INC.
Validation, Validation, ValidationHow do you know your security monitoring program really works?
© 2019 SPLUNK INC.
▶ Confirm that your rules and correlation searches actually do what they’re supposed to do
▶ Regression testing: does what you did 6 months ago still work?
▶ You don’t wanna miss a thing….don’t miss widely known vulns
▶ Identify your blind spots▶ Oh yeah Splunk detects that…Show
me the money!
I Made A Rule So I’m Good, Right?
© 2019 SPLUNK INC.
Purple Teaming The Splunky Way
Phantom as the testing engine
▶ We have lots of controls that can frustrate our adversaries
▶ Somehow they still achieve success
▶ Adversary simulation can help
Red Canary + Phantom = One Approach
A Framework For Security Content Validation
Att&ck Navigator
Simulation Runner
Splunk
Atomic Red Team App
Phantom
Adversary Simulation Playbooks
Forwarder OSX
Forwarder Windows
Forwarder Linux
© 2019 SPLUNK INC.
Maturity, Our Favorite Thing!!!Am I like a 5 year old or a teenager or a seasoned vet
•
© 2019 SPLUNK INC.
Move Up The Maturity ScalesThis is the time to be critical of one’s SOC, self assess with some cadence
▶ Identify your current position• Know Thyself!!!
• Define responsibilities (RACI is your friend)
▶ Define your strategic path• Align business goals with strategic
security plan
▶ Identify skill/tooling gaps• Where do you need more coverage,
prioritize
▶ Create a plan for a path forward• Create budgetary plans
▶ Define timelines
© 2019 SPLUNK INC.
Prioritization Of Objectives – One Approach
Network Security
Governance Risk & Compliance
Responsive Security
Management
Identity & Access Management
Threat & Vulnerability Management
Information & Data Privacy
Supplier Management
IR & Crisis Management
Disaster Recovery & BCM
Legal & Electronic Discovery
Training & Awareness
Endpoint Security
Physical and Data Center Security
Information & Data Protection
Secure Application Development
Security Monitoring Services
Penetration Testing
Vulnerability Scanning
Data Classification
Scheme
Vendor Risk Assessment
Contract Management
SSO and Multi-Factor
IDM Automation
Entitlement Management
Security Policies
Security Standards
Control Objectives
Secure SDLC
Security Testing
Encryption, Masking,
and Obfuscation
Data Leakage
Protection
Access Management
Risk Management
Risk and Control Library
Control Effectiveness
Anti-Malware and HIPS
APT Detection MDM
Firewall IDP NAC
Directory Services PAM
Key Management
AssetInventory
Red Teaming
Internet Reconnaissance
Offensive Security
Secure VDE / VDI
BCP
Data Activity Monitoring
AssetClassification
WAF
Configuration Management
Patch Management
DDOS Protection Wireless
Secure Web Gateway
Network Anti-Virus
SPAM and Phishing Filter Network DLP AAA
Entitlement Management
Secure VPN
Network Segmentation
H H
H
H
Highest PriorityH
Mat
urity
Lev
el A
dvan
cem
ent
Scal
e
Adv
ance
2+
Mat
urity
Lev
els
Adv
ance
1 M
atur
ity L
evel
Acc
epta
ble
Mat
urity
H
H
HH
H
H
H
H
H
H
H
Out
of
Scop
e
Lots of noise out here, focus on what matters most for your organization
© 2019 SPLUNK INC.
▶ Progress up the Kill Chain for more advanced response and detections• Requires additional data sources you may not
have
▶ Use Mitre Att&ck as a guide for expansion of coverage and capabilities
▶ Diamond Model to increase Maturity ▶ Conduct internal assessments using the
Capability Model Maturity Integration (CMMI) or Capability to Maturity Model (C2M2)
▶ Utilize industry standards▶ Be prepared, conduct tabletops, etc.
Increased Maturity = Increased ProtectionDon’t go at it alone, look to industry for objective measuring sticks
Source: Blue Lava
© 2019 SPLUNK INC.
Measure Your SOC Maturity (Continuously)Using a data analytics driven SOC to enhance resiliency
• Gathering data from all areas ofan organization
• Automatically sifting through logs• Prioritizing the risks• Alerting on & preventing attacks before they can be executed or cause costly damage
• Discovery & prioritization of events • Determination of risk level• Identification of assets affected and execution of the appropriate response• Detailed visibility at the local and network levels
Analysts to act as an intelligent
brain
Situational awareness to respond
to intrusions before
assets are at risk
Collaborative SOC
Solve across multiple domains
Establish securityoperations
Specific problem
Nerve center for security
© 2019 SPLUNK INC.
Demonstrate ValueQuantify your CSM program, putting data in the context of business (your
customer)Utilize best practices� For creating correlation searches, to
architecture� Know your customer
Focus on fidelity (quality)� Less noise, less searches and more
efficiency, more relevant alerts, better data enrichment and correlations, faster time to action
Communicate risks� Know your assets (HVA)� Understand your vulnerabilities� Assess your threatsRisk: Assets | Threats | Vulnerabilities
Executive reports (metrics)� We need their support� They need data to help support us� Enable decision makingDashboards and rich visualizations
© 2019 SPLUNK INC.
1. Enable your people – biggest bang for $
2. Be transparent – quantify security and leverage metrics for your benefit (security == risks)
3. Purple teaming – forewarn is forearm, practice makes perfect….
4. Participate in community – share lessons learned
5. Avoid complacency – Continuously seek opportunities for improvement and refinement
6. Focus on business outcomes
TLDR
Key Takeaways
© 2019 SPLUNK INC.
SourcesLinks, Conf talks, and shout-outs
▶ Our .conf2018 Talk:• https://static.rainfocus.com/splunk/splunkconf18/sess/1523538581536001Pq3N/finalPDF/SEC1
672_BuildingASecurityMonitoring_Final%20%281%29_15385960547480012LOM.pdf
▶ Qmulos • https://www.qmulos.com/
• https://github.com/palantir/alerting-detection-strategy-framework
• https://medium.com/palantir/alerting-and-detection-strategy-framework-52dc33722df2
▶ Jim Apger and Stuart McIntosh – Say Goodbye to Your Big Alert Pipeline…• https://static.rainfocus.com/splunk/splunkconf18/sess/1523456018499001lxCD/finalPDF/SEC14
79_SayGoodbyeToYourBig_Final_1538509127390001SxPF.pdf
▶ Tim Frazier, Dave Herrald and Kyle Champlin – Simulating the Adversary• https://static.rainfocus.com/splunk/splunkconf18/sess/1522696002986001hj1a/finalPDF/Simulat
ing-the-Adversary-Test-1244_1538791048709001YJnK.pdf